Cyber Incident Victim: ATR
Date:
Jun 2017
Location:
Ukraine
Summary
A widespread cyberattack employing Petya.A ransomware targeted Ukrainian critical infrastructure, including financial institutions, energy providers, government agencies, and media entities such as ATR TV channel. The malware encrypted entire disk partitions on Windows systems, demanding Bitcoin payments for decryption, disrupting banking operations, energy distribution, airport services, and media broadcasts. Initial infection vectors exploited vulnerabilities in M.E.Doc accounting software, with propagation leveraging EternalBlue and other network-based exploits. The attack caused significant operational disruptions domestically while also impacting multinational corporations globally, including logistics, energy, and manufacturing firms. Ukrainian authorities reported containing the incident through coordinated cyberdefense efforts, though recovery challenges persisted across affected sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 27, 2017, a widespread cyberattack utilizing the Petya.A ransomware cryptoworm targeted Ukrainian critical infrastructure, commercial enterprises, and government institutions. The attack began around 15:00 local time with a mass email campaign distributing malicious attachments. Upon execution, the malware encrypted entire hard drive partitions on Microsoft Windows systems, rendering them inoperable and displaying ransom demands for $300 in Bitcoin. Initial victims included Oshchadbank state bank, which experienced ATM and card payment system failures, and energy companies Dniproenergo, Zaporizhzhiaenergo, and Kyivenergo, where reports indicated 99% of computers were compromised. Media organizations such as TRK Luks (affiliating 24 Kanal TV and Radio Luks) and ATR TV channel suffered broadcast disruptions, while news site Korrespondent.net became inaccessible. Transportation hubs including Boryspil International Airport and Kyiv Metro faced operational challenges, with the latter unable to process card payments. Government entities like the Cabinet of Ministers, National Police, and Cyber Police websites experienced outages, though the Presidential Administration maintained normal operations.
The attack rapidly expanded beyond Ukraine, affecting multinational corporations including Danish shipping firm Maersk, British advertising conglomerate WPP, and Russian oil company Rosneft. Forensic analysis revealed the malware exploited EternalBlue (a vulnerability leaked from NSA tools), Windows Management Instrumentation Command-line (WMIC), and the PsExec administrative tool for lateral movement. Ukraine’s Cyberpolice identified the initial infection vector as compromised updates for M.E.Doc accounting software, a critical tax reporting platform used by 80% of Ukrainian businesses. By 22:47, Ukraine’s State Service of Special Communication confirmed containment of state digital resources under its protection, though recovery efforts continued at nongovernmental entities. Security researchers including Amit Serper developed mitigation techniques involving creation of a %windir%\perfc file to block encryption. Despite ransom payments totaling approximately $7,500, antivirus firms advised against compliance due to the attackers’ disabled email contact. The incident caused cascading operational disruptions—Chornobyl Nuclear Power Plant temporarily switched to manual radiation monitoring, Kharkiv International Airport implemented manual check-ins, and supermarket point-of-sale systems failed. By June 28, partial restoration occurred at the Government Portal and Ukrtelecom’s call centers, though full recovery timelines remained unspecified. The attack’s concentration in Ukraine—confirmed by ESET’s infection heatmaps—and prior December 2016 grid cyberattacks fueled allegations of state-sponsored activity, though no attribution evidence was disclosed in initial reports.